CVE-2015-2756

Publication date 1 April 2015

Last updated 24 July 2024

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
qemu	15.04 vivid	Fixed 1:2.2+dfsg-5expubuntu9
	14.10 utopic	Fixed 2.1+dfsg-4ubuntu6.6
	14.04 LTS trusty	Fixed 2.0.0+dfsg-2ubuntu1.11
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release
qemu-kvm	15.04 vivid	Not in release
	14.10 utopic	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Ignored end of life
xen	15.04 vivid	Not affected
	14.10 utopic	Fixed 4.4.1-0ubuntu0.14.10.5
	14.04 LTS trusty	Fixed 4.4.1-0ubuntu0.14.04.5
	12.04 LTS precise	Fixed 4.1.6.1-0ubuntu0.12.04.6
	10.04 LTS lucid	Not in release
xen-3.3	15.04 vivid	Not in release
	14.10 utopic	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Ignored end of life

Notes

smb

This is a qemu change which is part of the xen package for the "traditional" qemu. Trusty and newer only provide qemu traditional as a backup but by default use the generic qemu from the archive and Vivid completely drops qemu traditional. So the non-qemut patches in that XSA need to go into qemu.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
qemu	Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=81b23ef82cd1be29ca3d69ab7e98b5b5e55926ce

References

Related Ubuntu Security Notices (USN)